build.yaml

name: build

on:
  push:
    branches:
      - "master"
    tags:
      - "v*"
  pull_request:
    branches:
      - "master"

permissions:
  contents: write

env:
  REGISTRY: quay.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  docker:
    if: github.actor != 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build local container
        uses: docker/build-push-action@v6
        with:
          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
          push: false
          load: true
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"

      - name: Login to Quay.io Container Registry
        uses: docker/login-action@v3
        with:
          registry: quay.io
          username: utilitywarehouse+drone_ci
          password: ${{ secrets.SYSTEM_QUAY_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}